.png)
我正在尝试为 Linux Mint 19.3 设置无密码登录,以便能够使用 Yubikey 令牌或密码登录。我按照以下指示进行操作尤比奇网站和这个线程,但我无法让它发挥作用。
简而言之,这就是我所做的:
sudo pamu2fcfg -u `whoami` > /etc/Yubico/u2f_keys在/etc/pam.d/我创建通用-u2f包含以下内容:
auth sufficient pam_u2f.so authfile=/etc/Yubico/u2f_keys debug debug_file=/var/log/pam_u2f.log authpending_file=/etc/Yubico/pam-u2f-authpending我添加了
前@include common-u2f
在以下文件中:光DM,须藤,登录,肉桂屏保@include common-auth
现在,我可以使用 command sudo、解锁屏幕并仅使用 Yubikey 登录(仅在注销后)。然而,当我尝试重新启动后登录时,发生了一些奇怪的事情。我看到 Yubikey 上的指示灯闪烁,按下它后,屏幕变黑,好像要调出我的桌面,但它又返回到登录屏幕。所以,基本上,如果我尝试使用 Yubikey,它就会陷入登录循环。要摆脱它,我只需删除令牌并使用我的密码即可。
当我查看调试日志时,我发现它尝试对我进行两次身份验证。第一次成功,但第二次它抱怨找不到 u2f 设备。我不知道为什么它在重新启动后调用 pam_u2f.so 模块两次,至于 sudo、解锁屏幕和登录(注销后),它只调用一次(如预期)。这是调试日志的内容:
debug(pam_u2f): ../pam-u2f.c:99 (parse_cfg): called.
debug(pam_u2f): ../pam-u2f.c:100 (parse_cfg): flags 0 argc 4
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[0]=authfile=/etc/Yubico/u2f_keys
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[1]=debug
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[2]=debug_file=/var/log/pam_u2f.log
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[3]=authpending_file=/etc/Yubico/pam-u2f-authpending
debug(pam_u2f): ../pam-u2f.c:104 (parse_cfg): max_devices=0
debug(pam_u2f): ../pam-u2f.c:105 (parse_cfg): debug=1
debug(pam_u2f): ../pam-u2f.c:106 (parse_cfg): interactive=0
debug(pam_u2f): ../pam-u2f.c:107 (parse_cfg): cue=0
debug(pam_u2f): ../pam-u2f.c:108 (parse_cfg): nodetect=0
debug(pam_u2f): ../pam-u2f.c:109 (parse_cfg): manual=0
debug(pam_u2f): ../pam-u2f.c:110 (parse_cfg): nouserok=0
debug(pam_u2f): ../pam-u2f.c:111 (parse_cfg): openasuser=0
debug(pam_u2f): ../pam-u2f.c:112 (parse_cfg): alwaysok=0
debug(pam_u2f): ../pam-u2f.c:113 (parse_cfg): authfile=/etc/Yubico/u2f_keys
debug(pam_u2f): ../pam-u2f.c:114 (parse_cfg): authpending_file=/etc/Yubico/pam-u2f-authpending
debug(pam_u2f): ../pam-u2f.c:115 (parse_cfg): origin=(null)
debug(pam_u2f): ../pam-u2f.c:116 (parse_cfg): appid=(null)
debug(pam_u2f): ../pam-u2f.c:117 (parse_cfg): prompt=(null)
debug(pam_u2f): ../pam-u2f.c:169 (pam_sm_authenticate): Origin not specified, using "pam://host1"
debug(pam_u2f): ../pam-u2f.c:181 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://host1)
debug(pam_u2f): ../pam-u2f.c:192 (pam_sm_authenticate): Maximum devices number not set. Using default (24)
debug(pam_u2f): ../pam-u2f.c:210 (pam_sm_authenticate): Requesting authentication for user user1
debug(pam_u2f): ../pam-u2f.c:221 (pam_sm_authenticate): Found user user1
debug(pam_u2f): ../pam-u2f.c:222 (pam_sm_authenticate): Home directory for user1 is /home/user1
debug(pam_u2f): ../pam-u2f.c:271 (pam_sm_authenticate): Using authentication file /etc/Yubico/u2f_keys
debug(pam_u2f): ../util.c:105 (get_devices_from_authfile): Authorization line: user1:
debug(pam_u2f): ../util.c:110 (get_devices_from_authfile): Matched user: user1
debug(pam_u2f): ../util.c:137 (get_devices_from_authfile): KeyHandle for device number 1:
debug(pam_u2f): ../util.c:156 (get_devices_from_authfile): publicKey for device number 1:
debug(pam_u2f): ../util.c:167 (get_devices_from_authfile): Length of key number 1 is 65
debug(pam_u2f): ../util.c:137 (get_devices_from_authfile): KeyHandle for device number 2:
debug(pam_u2f): ../util.c:156 (get_devices_from_authfile): publicKey for device number 2:
debug(pam_u2f): ../util.c:167 (get_devices_from_authfile): Length of key number 2 is 65
debug(pam_u2f): ../util.c:194 (get_devices_from_authfile): Found 2 device(s) for user user1
debug(pam_u2f): ../pam-u2f.c:340 (pam_sm_authenticate): Using file '/etc/Yubico/pam-u2f-authpending' for emitting touch request notifications
debug(pam_u2f): ../util.c:277 (do_authentication): Device max index is 0
debug(pam_u2f): ../util.c:311 (do_authentication): Attempting authentication with device number 1
debug(pam_u2f): ../util.c:335 (do_authentication): Challenge: { "keyHandle": "", "version": "U2F_V2", "challenge": "", "appId": "pam:\/\/host1" }
debug(pam_u2f): ../util.c:349 (do_authentication): Response: { "signatureData": "", "clientData": "" }
debug(pam_u2f): ../pam-u2f.c:410 (pam_sm_authenticate): done. [Success]
debug(pam_u2f): ../pam-u2f.c:99 (parse_cfg): called.
debug(pam_u2f): ../pam-u2f.c:100 (parse_cfg): flags 0 argc 4
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[0]=authfile=/etc/Yubico/u2f_keys
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[1]=debug
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[2]=debug_file=/var/log/pam_u2f.log
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[3]=authpending_file=/etc/Yubico/pam-u2f-authpending
debug(pam_u2f): ../pam-u2f.c:104 (parse_cfg): max_devices=0
debug(pam_u2f): ../pam-u2f.c:105 (parse_cfg): debug=1
debug(pam_u2f): ../pam-u2f.c:106 (parse_cfg): interactive=0
debug(pam_u2f): ../pam-u2f.c:107 (parse_cfg): cue=0
debug(pam_u2f): ../pam-u2f.c:108 (parse_cfg): nodetect=0
debug(pam_u2f): ../pam-u2f.c:109 (parse_cfg): manual=0
debug(pam_u2f): ../pam-u2f.c:110 (parse_cfg): nouserok=0
debug(pam_u2f): ../pam-u2f.c:111 (parse_cfg): openasuser=0
debug(pam_u2f): ../pam-u2f.c:112 (parse_cfg): alwaysok=0
debug(pam_u2f): ../pam-u2f.c:113 (parse_cfg): authfile=/etc/Yubico/u2f_keys
debug(pam_u2f): ../pam-u2f.c:114 (parse_cfg): authpending_file=/etc/Yubico/pam-u2f-authpending
debug(pam_u2f): ../pam-u2f.c:115 (parse_cfg): origin=(null)
debug(pam_u2f): ../pam-u2f.c:116 (parse_cfg): appid=(null)
debug(pam_u2f): ../pam-u2f.c:117 (parse_cfg): prompt=(null)
debug(pam_u2f): ../pam-u2f.c:169 (pam_sm_authenticate): Origin not specified, using "pam://host1"
debug(pam_u2f): ../pam-u2f.c:181 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://host1)
debug(pam_u2f): ../pam-u2f.c:192 (pam_sm_authenticate): Maximum devices number not set. Using default (24)
debug(pam_u2f): ../pam-u2f.c:210 (pam_sm_authenticate): Requesting authentication for user user1
debug(pam_u2f): ../pam-u2f.c:221 (pam_sm_authenticate): Found user user1
debug(pam_u2f): ../pam-u2f.c:222 (pam_sm_authenticate): Home directory for user1 is /home/user1
debug(pam_u2f): ../pam-u2f.c:271 (pam_sm_authenticate): Using authentication file /etc/Yubico/u2f_keys
debug(pam_u2f): ../util.c:105 (get_devices_from_authfile): Authorization line: user1:
debug(pam_u2f): ../util.c:110 (get_devices_from_authfile): Matched user: user1
debug(pam_u2f): ../util.c:137 (get_devices_from_authfile): KeyHandle for device number 1:
debug(pam_u2f): ../util.c:156 (get_devices_from_authfile): publicKey for device number 1:
debug(pam_u2f): ../util.c:167 (get_devices_from_authfile): Length of key number 1 is 65
debug(pam_u2f): ../util.c:137 (get_devices_from_authfile): KeyHandle for device number 2:
debug(pam_u2f): ../util.c:156 (get_devices_from_authfile): publicKey for device number 2:
debug(pam_u2f): ../util.c:167 (get_devices_from_authfile): Length of key number 2 is 65
debug(pam_u2f): ../util.c:194 (get_devices_from_authfile): Found 2 device(s) for user user1
debug(pam_u2f): ../pam-u2f.c:340 (pam_sm_authenticate): Using file '/etc/Yubico/pam-u2f-authpending' for emitting touch request notifications
debug(pam_u2f): ../util.c:271 (do_authentication): Unable to discover device(s), cannot find U2F device
debug(pam_u2f): ../pam-u2f.c:371 (pam_sm_authenticate): do_authentication returned -2
debug(pam_u2f): ../pam-u2f.c:410 (pam_sm_authenticate): done. [Authentication failure]正如您从日志中看到的,它尝试对我进行两次身份验证。我不知道为什么。任何帮助,将不胜感激!
答案1
经过一番详尽的研究和调试后,我得到了一个非常简单的认识——无密码登录对我来说不起作用,因为我的主文件夹已加密。它只能用我的密码解密,并且由于 Linux 不会在任何地方存储实际密码(只是哈希值),因此我必须提供它才能在重新启动后登录。顺便说一句,这可以解释为什么我能够在注销后使用 Yubikey 登录并使用依赖于 common-auth PAM 文件的其他命令。
答案2
我认为这应该是这种方法的一种风格 https://github.com/agherzan/yubikey-full-disk-encryption
当您输入密码时,它必须解开主文件夹目录所需的哈希值,因此必须使用相同的方法,但在使用密钥之后。
如果你在安装后加密home时看到这篇文章 https://www.linuxuprising.com/2018/04/how-to-encrypt-home-folder-in-ubuntu.html
您可以在步骤 5 中获取密钥。打印并记录恢复密码。
我相信应该可以在密钥后“重新路由”解开包装,或者您应该使用密钥加密您的家庭,但如果您丢失了密钥,则无法使用密码登录。我认为当密码和 U2F 密钥都可以解密时,应该可以使用非对称密钥对 home 进行加密。
我们只需要一些 Linux 安全专家来告诉我们如何做,也许在这里 https://blog.rtwm.io/2021/03/complete-u2f-yubikey-linux-mint-20-login-with-encrypted-home-folders/
我想我最终会明白的
看文件/etc/pam.d/common-auth
其中一部分是
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
这...pam_ecryptfs.so unwrap很可能是关于主文件夹的,所以我认为我们需要把
auth required pam_u2f.so authfile={your-non-home-location}
在那之前... pam_ecryptfs.so unwrap
待续...